Request a demo

See Cybeats in action. Fill out the form and our team will be in touch with you shortly.
Cybeats recognized in Gartner Innovation Insight for SBOMs Report. Get our Reports

Integrating SBOMs and Risk for Enhanced Cybersecurity Management

I’ve noticed that conversations on Software Bills of Materials (SBOMS) generally discuss what they are, their value, and issues around their generation. However, I haven’t seen or heard much evidence that SBOMS are incorporated into operational processes. It's important to realize that SBOMs can be a valuable tool in managing cybersecurity risk, and they don’t have to be used mutually exclusively for existing cybersecurity processes.  

In a recent conversation with Dmitry Raidman, CTO of Cybeats, the term RiskOps came up. RiskOps is a condensed version of "Risk Operations" and indicates the fusion of risk management and operations management methodologies. The central objective is to recognize, appraise, and reduce potential risks linked to business operations, aiming to minimize losses and enhance operational productivity. This includes various activities such as scrutinizing risks, reporting on them, monitoring them, and devising plans to diminish their impact. The ultimate purpose of RiskOps is to provide organizations with the knowledge and tools to make informed decisions about their operations and to be better prepared to handle risks as they arise.

In the world of cybersecurity, the Risk Management Framework (RMF) is a seven-step process under the Federal Information Security Modernization Act (FISMA) that helps organizations manage risks associated with information technology. NIST SP 800-37r2 identifies potential inputs for each task, like information about supply chains, assets, systems and system elements, system component inventories, and risk determinations.

Unfortunately, neither the phrases “software bill of materials” nor “SBOM” appear within the text of the guidance provided by NIST.  As a result, a majority of cybersecurity practitioners are unfamiliar with SBOMs or the value they bring to the RMF process.  

An SBOM is a missing link that provides an actionable definition for the concept of “supply chain information” concerning the trustworthiness and verifiability of software provenance. Using SBOMs to feed the RMF process is an excellent example of leveraging SBOMs to support RiskOps.

By incorporating SBOM data into the various operations management processes like supply chain risk management, asset management, vulnerability management, and defensive cyberspace operations, the inputs to the RMF tasks are more richly detailed with software provenance information, allowing for potential security vulnerabilities and indicators of risk to be identified and mitigated.

And there, we come full circle to the term RiskOps.  I don’t expect the term to get much traction. Still, I hope the SBOM and RMF communities become more familiar with each other and leverage existing business processes to enhance cybersecurity.

The Importance Of Validation In SBOM Generation

March 19, 2024

Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.

Read More →

The Power of SBOMs: Building Resilience in Our Critical Infrastructure

March 4, 2024

As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain

Read More →

Revolutionizing Healthcare Security: The Power of the Health-ISAC and Cybeats Partnership in SBOM use

December 15, 2023

Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.

Read More →

See Cybeats Security
Platform in Action Today.